CN104639328B - A kind of GOOSE message authentication method and system - Google Patents
A kind of GOOSE message authentication method and system Download PDFInfo
- Publication number
- CN104639328B CN104639328B CN201510047772.5A CN201510047772A CN104639328B CN 104639328 B CN104639328 B CN 104639328B CN 201510047772 A CN201510047772 A CN 201510047772A CN 104639328 B CN104639328 B CN 104639328B
- Authority
- CN
- China
- Prior art keywords
- message
- authentication code
- key
- goose
- goose message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
It is an object of the invention to provide a kind of efficient GOOSE message authentication method, to better conform to electric system high real-time requires.In order to adapt to the characteristic that GOOSE message needs are uninterruptedly sent, the sequential counting sqNum domains of Application Protocol Data Unit APDU in GOOSE message are extracted as key message message segment, and judge whether APDU remainder datas are consistent with previous message:If consistent, overall authentication code is obtained as a result, above-mentioned key message is attached to and carries out HMAC computings behind its end according to the HMAC of the non-critical information of previous GOOSE message APDU;If inconsistent first to non-critical information carry out HMAC computings obtain authentication code, then by key message be additional to authentication code end and again carry out HMAC computings obtain overall authentication code.The authentication method efficiency of the present invention is far above the classical method that HAMC certifications are directly carried out to whole APDU contents.
Description
Technical field
The invention belongs to power system information security fields, and in particular to GOOSE message defined in IEC61850 is recognized
Card method.
Background technology
Powerline network progressively develops into the open system that wide area interconnects, its bounds from independent closed system
Constantly expand with geographical distribution, access way it is more flexible, the safety issue of message data is also increasingly prominent.
In electric power communication network, towards transformer substation case (GOOSE, the Generic Object of general object
Oriented Substation Event) message is mainly used for characterizing operational order and the breaker position such as breaker tripping and closing of breaker
Important events, its security, accuracy, the real-times such as confidence breath largely affect the reliability of Operation of Electric Systems.
Moreover, under the background being had been more and more widely used in using digital transformer substation as the intelligent grid of representative, GOOSE electric power
Message be possible to it is trans-regional, across electrical grid transmission so that it is more likely to by eavesdropping, attacking, the intrusion event such as distorting, it is in electric power
Importance in terms of information security is more prominent.The important message of POWER SYSTEM STATE is directly affected as GOOSE is this kind of, when its report
When text is tampered with, may bringing on a disaster property consequence.
Security information for power system standard IEC 62351 suggests using GOOSE message HMAC certifications or digital signature to ensure
The integrality of GOOSE message.But computing and storage capacity with reference to current intelligent electronic device reality, based on asymmetric encryption ring
The digital signature method of section is difficult to the 4ms delay requirements for meeting the electric power message such as GOOSE.Therefore, current GOOSE security algorithms
The main selection of research uses relevant Hash operation message authentication code (the Hash-based Message of key
Authentication Code, hereinafter referred to as HMAC) it is authenticated to ensure integrality.Wherein HMAC computings are calculated using Hash
Method, using a key and a message as input, generates an eap-message digest as output.
GOOSE message sends the heartbeat message mechanism that uses, i.e., same heartbeat message repeats to send through intervals.Together
A series of GOOSE heartbeat messages, it sends, and content is essentially identical, and difference is only that sequential counting SqNum information fields.It is wherein suitable
Sequence counts SqNum and has sent message number so far for recording the heartbeat message.In this case, sent to each
It is not high that GOOSE message integrated straight taps into row HMAC computings its authentication efficiencies.
The content of the invention
The shortcomings that it is an object of the invention to overcome the prior art and deficiency, the characteristics of for GOOSE heartbeat messages, there is provided
A kind of GOOSE message authentication method, method proposed by the present invention is according to the repetition certification meter for avoiding identical content in heartbeat message
The thought of calculation proposes a kind of efficient GOOSE message authentication method, can improve authentication calculations efficiency and better conform to electric system
High real-time requires.
It is a further object of the invention to provide a kind of GOOSE message Verification System.
First purpose of the present invention is achieved through the following technical solutions:
A kind of GOOSE message authentication method, variable data are placed on by the GOOSE message authentication method treats operational data
End, comprises the following steps:
GOOSE message identifyings are created, judge current GOOSE message and Application Protocol Data Unit in previous GOOSE message
Whether the non-critical information of APDU is consistent, wherein, the non-key message information refers to application protocol data in GOOSE message
All information of the unit AP DU in addition to sequential counting sqNum domains, directly quote in previous GOOSE message if consistent and apply
The correspondence authentication code of the non-critical information of protocol Data Unit APDU coordinates Application Protocol Data Unit in current GOOSE message
The key message of APDU generates overall authentication code by HMAC computings, wherein, the key message refers to should in GOOSE message
With the sequential counting sqNum domains of protocol Data Unit APDU,;Firstly generated if inconsistent in current GOOSE message using association
The non-critical information of view data cell APDU corresponds to authentication code, coordinates the crucial letter of current GOOSE message followed by the authentication code
Breath generates overall authentication code by HMAC computings;Generation check code is filled in after the overall authentication code is made cyclic redundancy check
GOOSE message identifyings are completed after the frame check code domain of current GOOSE message to create;
Verify GOOSE message identifyings, firstly generate the non-key of Application Protocol Data Unit APDU in current GOOSE message
Information corresponds to authentication code, then coordinates current GOOSE message key message to generate entirety by HMAC computings using the authentication code
Authentication code, by overall authentication code do cyclic redundancy check generation check code after with current GOOSE message frame check code domain content into
Row contrast, if the two unanimously if certification pass through otherwise authentification failure.
Further, the step of establishment GOOSE message identifyings are specially:
The key message of Application Protocol Data Unit APDU in S11, the current GOOSE message of extraction, the crucial letter of generation first
Cease message segment P2;
The key message in S12, the deletion current GOOSE message, generates the first non-critical information message segment P1;
S13, judge the first non-critical information message segment P1 whether with application protocol data list in previous GOOSE message
The non-critical information of first APDU is consistent, skips to S15 if consistent, is otherwise transferred to step S14;
S14, using selected in advance key and hash function, HMAC is carried out to the first non-critical information message segment P1
Computing obtains the first authentication code C1, and the first key message message segment P2 is attached to the first authentication code C1 ends forms
Second authentication code C2, carries out the second authentication code C2 HMAC computings using the key and hash function and obtains the first entirety
Authentication code C01, skips to step S16;
S15, by the first key message message segment P2 be attached to Application Protocol Data Unit in previous GOOSE message
The non-critical information message segment of APDU carries out the 3rd authentication code C3 ends obtained by HMAC computings and forms the 4th authentication code C4, utilizes step
Key described in rapid S14 and hash function carry out the 4th authentication code C4 HMAC computings and obtain the first overall authentication code C01,
Skip to step S16;
Described first entirety authentication code C01, is made cyclic redundancy check by S16, and gained check code K01 is filled in described
The frame check code domain of GOOSE message, completes the establishment of GOOSE message identifyings.
Further, the step of verification GOOSE message identifyings are specially:
The key message of Application Protocol Data Unit APDU, raw in S21, extraction GOOSE message identifyings to be verified
Into the second key message message segment P4;
The key message in S22, the deletion GOOSE message identifyings to be verified, generates the second non-critical information
Message segment P3;
S23, using key and hash function described in step S14, the second non-critical information message segment P3 is carried out
HMAC computings obtain the 5th authentication code C5, and the second key message message segment P4 is attached to the 5th authentication code C5 ends forms
6th authentication code C6, carries out HMAC computings to the 6th authentication code C6 using key described in step S14 and hash function and obtains
To the second overall authentication code C02,
Described second entirety authentication code C02, is done cyclic redundancy check and obtains check code K02 by S24, check code K02 with it is described
The frame check code domain of GOOSE message identifyings to be verified is contrasted, if the two unanimously if be proved to be successful, otherwise authentication failed.
Further, the key message includes sequential counting sqNum domains.
Further, the key is length 16 to the character string between 128Byte.
Further, the hash function is MD2 or MD4 or MD5 or SHA-1 or SHA-224 or SHA-256 or SHA-
384 or SHA-512.
Another object of the present invention is achieved through the following technical solutions:
A kind of GOOSE message Verification System, variable data are placed on by the GOOSE message Verification System treats operational data
End, including following modules:
GOOSE message identifying modules are created, which is used to judge current GOOSE message with answering in previous GOOSE message
It is whether consistent with the non-critical information of protocol Data Unit APDU, wherein, the non-key message information refers to that GOOSE is reported
All information of the Application Protocol Data Unit APDU in addition to sequential counting sqNum domains in text, if consistent directly before reference
The correspondence authentication code of the non-critical information of Application Protocol Data Unit APDU coordinates in current GOOSE message in one GOOSE message
The key message of Application Protocol Data Unit APDU generates overall authentication code by HMAC computings, wherein, the key message refers to
Be Application Protocol Data Unit APDU in GOOSE message sequential counting sqNum domains,;Firstly generated if inconsistent current
The non-critical information of Application Protocol Data Unit APDU corresponds to authentication code in GOOSE message, matches somebody with somebody followed by the authentication code and is fated
Preceding GOOSE message key message generates overall authentication code by HMAC computings;The overall authentication code is made into cyclic redundancy check
Generation check code completes the establishment of GOOSE message identifyings after being filled in the frame check code domain of current GOOSE message afterwards;
Verify GOOSE message identifying modules, which firstly generates Application Protocol Data Unit in current GOOSE message
The non-critical information of APDU corresponds to authentication code, then coordinates current GOOSE message key message to pass through HMAC using the authentication code
The overall authentication code of computing generation, by overall authentication code do after cyclic redundancy check generation check code with current GOOSE message frame school
Code domain content is tested to be contrasted, if the two unanimously if certification pass through otherwise authentification failure.
Further, the establishment GOOSE message identifying modules include:
First key message message segment generation unit, the unit are used to extract application protocol data in current GOOSE message
The key message of unit AP DU, generates the first key message message segment P2;
First non-critical information message segment generation unit, the unit are used to delete described in the current GOOSE message
Key message, generates the first non-critical information message segment P1;
First judging unit, the unit be used for judge the first non-critical information message segment P1 whether with previous GOOSE
The non-critical information of Application Protocol Data Unit APDU is consistent in message, and skipping to overall authentication code second if consistent generates list
Member, is otherwise transferred to overall the first generation unit of authentication code;
Overall the first generation unit of authentication code, the unit is using selected in advance key and hash function, to described first
Non-critical information message segment P1 carries out HMAC computings and obtains the first authentication code C1, and the first key message message segment P2 is added
The second authentication code C2 is formed to the first authentication code C1 ends, using the key and hash function to second authentication code
C2 carries out HMAC computings and obtains the first overall authentication code C01, skips to check code fills unit;
Overall the second generation unit of authentication code, the unit are used to the first key message message segment P2 being attached to previous
The non-critical information message segment of Application Protocol Data Unit APDU carries out the 3rd authentication code C3 obtained by HMAC computings in GOOSE message
End forms the 4th authentication code C4, and carrying out HMAC computings to the 4th authentication code C4 using the key and hash function obtains
First overall authentication code C01, skips to check code fills unit;
Check code fills unit, the unit are used to the described first entirety authentication code C01 making cyclic redundancy check, and by institute
The frame check code domain that check code K01 is filled in the GOOSE message is obtained, completes the establishment of GOOSE message identifyings.
Further, the verification GOOSE message identifying modules include:
Second key message message segment generation unit, the unit are used to extract to apply in GOOSE message identifyings to be verified
The key message of protocol Data Unit APDU, generates the second key message message segment P4;
Second non-critical information message segment generation unit, the unit are used to delete the GOOSE message identifyings to be verified
In the key message, generate the second non-critical information message segment P3;
Overall the 3rd generation unit of authentication code, which utilizes the key and hash function, non-key to described second
Infomational message section P3 carries out HMAC computings and obtains the 5th authentication code C5, and the second key message message segment P4 is attached to the described 5th
Authentication code C5 ends form the 6th authentication code C6, and the key described in and hash function carry out the 6th authentication code C6
HMAC computings obtain the second overall authentication code C02,
Second judging unit, the unit obtain check code for the described second entirety authentication code C02 to be done cyclic redundancy check
K02, check code K02 and the frame check code domain of the GOOSE message identifyings to be verified are contrasted, if the two unanimously if verify
Succeed, otherwise authentication failed.
The present invention is had the following advantages relative to the prior art and effect:
(1) present invention reduces identical content in GOOSE heartbeat messages on the premise of message information security is not reduced
Repeated HMAC authentication calculations, improve the efficiency of HMAC authentication calculations.
(2) present invention proposes a kind of efficient GOOSE message authentication method, can better adapt to electric system high real-time
It is required that.
Brief description of the drawings
Fig. 1 is the procedure chart that GOOSE message identifyings are created in the embodiment of the present invention one;
Fig. 2 is the procedure chart that GOOSE message identifyings are verified in the embodiment of the present invention one;
Fig. 3 is the structure diagram of GOOSE message in the present invention;
Fig. 4 is GOOSE message case 1 in the embodiment of the present invention two;
Fig. 5 is GOOSE message case 2 in the embodiment of the present invention two;
Fig. 6 is GOOSE message case 3 in the embodiment of the present invention two;
Fig. 7 is the composition frame chart of GOOSE message identifyings system in embodiment three;
Fig. 8 is the composition frame chart that GOOSE message identifying modules are created in embodiment three;
Fig. 9 is the composition frame chart that GOOSE message identifying modules are verified in embodiment three.
Embodiment
For make the technical means, the creative features, the aims and the efficiencies achieved by the present invention easy to understand referring to
Attached drawing develops simultaneously, and the present invention is described in more detail for embodiment.It should be appreciated that specific embodiment described herein only to
Explain the present invention, be not intended to limit the present invention.
Embodiment one
Fig. 1 and Fig. 2 are referred to, Fig. 1 and Fig. 2 are on creating GOOSE message identifyings and verification respectively in the present embodiment
The procedure chart of GOOSE message identifyings.
A kind of efficient GOOSE message authentication method disclosed in the present embodiment, specifically includes and creates GOOSE message identifyings
With verification two steps of GOOSE message identifyings.
Wherein, the process of GOOSE message identifyings is created as shown in Figure 1, the step first determines whether current GOOSE message
(structure diagram of GOOSE message is as shown in Figure 3) with previous GOOSE message Application Protocol Data Unit APDU it is non-key
Whether information is consistent, and the non-critical information of Application Protocol Data Unit APDU in previous GOOSE message is directly quoted if consistent
Correspondence authentication code coordinate the key message of Application Protocol Data Unit APDU in current GOOSE message to be generated by HMAC computings
Overall authentication code;The non-critical information of Application Protocol Data Unit APDU in current GOOSE message is firstly generated if inconsistent
Corresponding authentication code, coordinates current GOOSE message key message to generate overall certification by HMAC computings followed by the authentication code
Code;The overall authentication code is made into the frame check code domain that generation check code after cyclic redundancy check is filled in current GOOSE message
GOOSE message identifyings are completed afterwards to create.
Wherein, verify the process of GOOSE message identifyings as shown in Fig. 2, the step firstly generate in current GOOSE message should
Authentication code is corresponded to the non-critical information of protocol Data Unit APDU, then coordinates current GOOSE message to close using the authentication code
Key information generates overall authentication code by HMAC computings, by overall authentication code do after cyclic redundancy check generation check code with it is current
GOOSE message frame check code domain content is contrasted, if the two unanimously if certification pass through otherwise authentification failure.
HMAC is the relevant Hash operation message authentication code of key (Hash-based Message Authentication
Code), HMAC computings utilize hash algorithm, and using a key and a message as input, one eap-message digest of generation is as defeated
Go out.
HMAC is the message authentication code based on hash function.It need encryption hash function (be expressed as H, can be with
MD5 or SHA-1) and a key K calculating message authentication code.
Calculate HMAC need hash function hash (can be MD2 or MD4 or MD5 or SHA-1 or SHA-224 or
SHA-256 or SHA-384 or SHA-512) and key key (key key can be length 16 between 128Byte
Character string).Represent that hash functions output string grows (md5 is 16) with L, with B represent data block length (md5 and sha-1's
64) partition data block length is all.The length of key key can be less than or equal to data block length B, can if greater than data block length
As a result it is exactly the key of a L long to be changed using hash function pairs key.
Then the kinds of characters string of two B long is created:
Innerpad=length is the 0 × 36 of B;
Outterpad=length is 0 × 5C of B;
Calculate the HMAC of input character string str:
hash(key^outterpad,hash(key^innerpad,str))。
As shown in Figure 1, the step of wherein creating GOOSE message identifyings is specially:
The key message of Application Protocol Data Unit APDU, generates the first key message report in S11, extraction GOOSE message
Literary section P2;Key message described in this embodiment is sequential counting sqNum domains.
The key message in S12, the deletion GOOSE message, generates the first non-critical information message segment P1;
S13, judge the first non-critical information message segment P1 whether with application protocol data list in previous GOOSE message
The non-critical information of first APDU is consistent, skips to S15 if consistent, is otherwise transferred to step S14;
S14, using selected in advance key and hash function, HMAC is carried out to the first non-critical information message segment P1
Computing obtains the first authentication code C1, and the first key message message segment P2 is attached to the first authentication code C1 ends forms
Second authentication code C2, carries out the second authentication code C2 HMAC computings using the key and hash function and obtains the first entirety
Authentication code C01, skips to step S16;
S15, by the first key message message segment P2 be attached to Application Protocol Data Unit in previous GOOSE message
The non-critical information message segment of APDU carries out the 3rd authentication code C3 ends obtained by HMAC computings and forms the 4th authentication code C4, utilizes step
Key described in rapid S14 and hash function carry out the 4th authentication code C4 HMAC computings and obtain the first overall authentication code C01,
Skip to step S16;
Described first entirety authentication code C01, is made cyclic redundancy check by S16, and gained check code K01 is filled in described
The frame check code domain of GOOSE message, completes the establishment of GOOSE message identifyings.
As shown in Fig. 2, the step of verification GOOSE message identifyings, is specially:
The key message of Application Protocol Data Unit APDU, raw in S21, extraction GOOSE message identifyings to be verified
Into the second key message message segment P4;
The key message in S22, the deletion GOOSE message identifyings to be verified, generates the second non-critical information
Message segment P3;
S23, using key and hash function described in step S14, the second non-critical information message segment P3 is carried out
HMAC computings obtain the 5th authentication code C5, and the second key message message segment P4 is attached to the 5th authentication code C5 ends forms
6th authentication code C6, carries out HMAC computings to the 6th authentication code C6 using key described in step S14 and hash function and obtains
To the second overall authentication code C02,
Described second entirety authentication code C02, is done cyclic redundancy check and obtains check code K02 by S24, check code K02 with it is described
The frame check code domain of GOOSE message identifyings to be verified is contrasted, if the two unanimously if be proved to be successful, otherwise authentication failed.
In GOOSE message identifying algorithm and the timing of key length one, reduce the core that GOOSE message authentication algorithm takes and exist
In the length for the content that computing is encrypted needed for reduction.Analyze GOOSE message send mechanism, GOOSE message need repeat, it is indefinite
Interval is sent, wherein except sqNum parameters, other data in GOOSE message APDU are constant.Pressed in conjunction with HASH mathematical algorithms
512bit length is treated operational data and is grouped, inputted under fixed input condition it is constant, therefore, the data of change can be put with
Treat operational data end, you can avoid the HASH calculating processes of data as before.
Embodiment two
Present embodiment discloses the specific embodiment of efficient GOOSE message authentication method of the invention.In the embodiment two
The key that hash algorithm uses is character string:“qazwsxedcrfvtgbyhnujmik,ol.p;/ ", hash function uses SHA-
1, cyclic redundancy check uses 32 cyclic redundancy check (CRC)s 32.
Fig. 4-Fig. 6 is 3 GOOSE messages, and switching value displacement occurs after wherein GOOSE message is sent shown in Fig. 4, is formed new
GOOSE message heartbeat series, Fig. 5 and Fig. 6 are the first and second GOOSE message of new GOOSE message heartbeat series.
1st, it is as follows for the GOOSE message in Fig. 4, its message transmitting party authentication code generation step:
Key message segment P2 and non-key message segment P1 is generated according to GOOSE message, current non-key message segment P1 and
The previous non-key message segment of message is contrasted, the two inconsistent (stNum domains, t domains and allData domains content are inconsistent),
Therefore HMAC computings directly are carried out to non-key message segment P1, obtain the first authentication code C1 (16 binary form):
bda031b95d8db0ba30e78449d08f5e71b0632174(Hex);
The first authentication code is then merged into obtain the second authentication code C2 with key message segment P2:
bda031b95d8db0ba30e78449d08f5e71b063217486010f(Hex);
HMAC computings are carried out to C2 and obtain the first full authentication code C01:
e153ff8857e71ef24b08380f4824a2e75b928a64(Hex);
Cyclic redundancy computing then is carried out to C01 and obtains check code:
5265BD27;
Check code is filled in the frame check domain of GOOSE message, that is, completes GOOSE message authentication code in Fig. 4 and generates.
Its message recipient's authenticating step is as follows:
Key message segment P3 and non-key message segment P4 is generated according to the GOOSE message received, to non-key message
Section P3 carries out HMAC computings, obtains the 5th authentication code C5 (16 binary form):
bda031b95d8db0ba30e78449d08f5e71b0632174(Hex);
The 5th authentication code is then merged into obtain the 6th authentication code C6 with key message segment P4:
bda031b95d8db0ba30e78449d08f5e71b063217486010f(Hex);
HMAC computings are carried out to C6 and obtain the second overall authentication code C02:
e153ff8857e71ef24b08380f4824a2e75b928a64(Hex);
Cyclic redundancy computing then is carried out to C02 and obtains check code:
5265BD27;
The frame check domain of check code and GOOSE message contrast unanimously, judges that certification passes through.
2nd, it is as follows for the GOOSE message in Fig. 5, its message transmitting party authentication code generation step:
Key message segment P2 and non-key message segment P1 is generated according to GOOSE message, current non-key message segment P1 and
The previous non-key message segment of message is contrasted, the two inconsistent (stNum domains, t domains and allData domains content are inconsistent),
Therefore HMAC computings directly are carried out to non-key message segment P1, obtain the first authentication code C1 (16 binary form):
88580e829232f09be7e3ba60b883cc083506e5a1(Hex);
The first authentication code is then merged into obtain the second authentication code C2 with key message segment P2:
88580e829232f09be7e3ba60b883cc083506e5a1860100(Hex);
HMAC computings are carried out to C2 and obtain the first full authentication code C01:
d995a3b16b79f3334bf0c6d81512c1f929bde8e0(Hex);
Cyclic redundancy computing then is carried out to C01 and obtains check code:
30A15AB6;
Check code is filled in the frame check domain of GOOSE message, that is, completes GOOSE message authentication code in Fig. 5 and generates.
Its message recipient's authenticating step is as follows:
Key message segment P3 and non-key message segment P4 is generated according to the GOOSE message received, to non-key message
Section P3 carries out HMAC computings, obtains the 5th authentication code C5 (16 binary form):
88580e829232f09be7e3ba60b883cc083506e5a1(Hex);
The 5th authentication code is then merged into obtain the 6th authentication code C6 with key message segment P4:
88580e829232f09be7e3ba60b883cc083506e5a1860100(Hex);
HMAC computings are carried out to C6 and obtain the second overall authentication code C02:
d995a3b16b79f3334bf0c6d81512c1f929bde8e0(Hex);
Cyclic redundancy computing then is carried out to C02 and obtains check code:
30A15AB6;
The frame check domain of check code and GOOSE message contrast unanimously, judges that certification passes through.
3rd, it is as follows for the GOOSE message in Fig. 6, its message transmitting party authentication code generation step:
Key message segment P2 and non-key message segment P1 is generated according to GOOSE message, current non-key message segment P1 and
The previous non-key message segment of message is contrasted, the two is consistent, therefore the 3rd authentication code C3 and the first certification of previous GOOSE message
Code is consistent, without being calculated (16 binary form):
88580e829232f09be7e3ba60b883cc083506e5a1(Hex);
The 3rd authentication code is then merged into obtain the 4th authentication code C4 with key message segment P2:
88580e829232f09be7e3ba60b883cc083506e5a1860101(Hex);
HMAC computings are carried out to C4 and obtain final authentication code C01:
11af0d95c4aadc568dfa0f414fd229562b8503f4(Hex);
Cyclic redundancy computing then is carried out to C01 and obtains check code:
087CDED7;
Check code is filled in the frame check domain of GOOSE message, that is, completes GOOSE message authentication code in Fig. 6 and generates.
Its message recipient's verification step is as follows:
Key message segment P2 and non-key message segment P1 is generated according to the GOOSE message received, to non-key message
Section P1 carries out HMAC computings, obtains the 5th authentication code C5 (16 binary form):
88580e829232f09be7e3ba60b883cc083506e5a1(Hex);
The 5th authentication code is then merged into obtain the 6th authentication code C6 with key message segment P2:
88580e829232f09be7e3ba60b883cc083506e5a1860101(Hex);
HMAC computings are carried out to C6 and obtain the second final authentication code C02:
11af0d95c4aadc568dfa0f414fd229562b8503f4(Hex);
Cyclic redundancy computing then is carried out to C02 and obtains check code:
087CDED7;
The frame check domain of check code and GOOSE message contrast unanimously, judges that certification passes through.
Embodiment three
Present embodiment discloses a kind of GOOSE message Verification System, specifically such as GOOSE message identifyings system in attached drawing 7
Shown in composition frame chart, which includes creating GOOSE message identifyings module and verification GOOSE message identifyings two modules of module.
Wherein, GOOSE message identifying modules are created, which is used to judge current GOOSE message and previous GOOSE message
Whether the non-critical information of middle Application Protocol Data Unit APDU is consistent, and directly being quoted if consistent should in previous GOOSE message
Coordinate Application Protocol Data Unit in current GOOSE message with the correspondence authentication code of the non-critical information of protocol Data Unit APDU
The key message of APDU generates overall authentication code by HMAC computings;Being firstly generated if inconsistent should in current GOOSE message
Authentication code is corresponded to the non-critical information of protocol Data Unit APDU, coordinates current GOOSE message to close followed by the authentication code
Key information generates overall authentication code by HMAC computings;Generation check code is filled out after the overall authentication code is made cyclic redundancy check
Fill after the frame check code domain of current GOOSE message and complete the establishment of GOOSE message identifyings.
Wherein, GOOSE message identifying modules are verified, which firstly generates application protocol data in current GOOSE message
The non-critical information of unit AP DU corresponds to authentication code, then coordinates current GOOSE message key message to pass through using the authentication code
The overall authentication code of HMAC computings generation, by overall authentication code do after cyclic redundancy check generation check code with current GOOSE message
Frame check code domain content is contrasted, if the two unanimously if certification pass through otherwise authentification failure.
As created in Fig. 8 shown in GOOSE message identifying module composition frame charts, establishment GOOSE message identifying modules include:
First key message message segment generation unit, the unit are used to extract Application Protocol Data Unit in GOOSE message
The key message of APDU, generates the first key message message segment P2.
First non-critical information message segment generation unit, the unit are used to delete the key in the GOOSE message
Information, generates the first non-critical information message segment P1.
First judging unit, the unit be used for judge the first non-critical information message segment P1 whether with previous GOOSE
The non-critical information of Application Protocol Data Unit APDU is consistent in message, and skipping to overall authentication code second if consistent generates list
Member, is otherwise transferred to overall the first generation unit of authentication code.
Overall the first generation unit of authentication code, the unit is using selected in advance key and hash function, to described first
Non-critical information message segment P1 carries out HMAC computings and obtains the first authentication code C1, and the first key message message segment P2 is added
The second authentication code C2 is formed to the first authentication code C1 ends, using the key and hash function to second authentication code
C2 carries out HMAC computings and obtains the first overall authentication code C01, skips to check code fills unit.
Overall the second generation unit of authentication code, the unit are used to the first key message message segment P2 being attached to previous
The non-critical information message segment of Application Protocol Data Unit APDU carries out the 3rd authentication code C3 obtained by HMAC computings in GOOSE message
End forms the 4th authentication code C4, and carrying out HMAC computings to the 4th authentication code C4 using the key and hash function obtains
First overall authentication code C01, skips to check code fills unit.
Check code fills unit, the unit are used to the described first entirety authentication code C01 making cyclic redundancy check, and by institute
The frame check code domain that check code K01 is filled in the GOOSE message is obtained, completes the establishment of GOOSE message identifyings.
As verified in Fig. 9, verification GOOSE message identifying modules include shown in GOOSE message identifying module composition frame charts:
Second key message message segment generation unit, the unit are used to extract to apply in GOOSE message identifyings to be verified
The key message of protocol Data Unit APDU, generates the second key message message segment P4.
Second non-critical information message segment generation unit, the unit are used to delete the GOOSE message identifyings to be verified
In the key message, generate the second non-critical information message segment P3.
Overall the 3rd generation unit of authentication code, which utilizes the key and hash function, non-key to described second
Infomational message section P3 carries out HMAC computings and obtains the 5th authentication code C5, and the second key message message segment P4 is attached to the described 5th
Authentication code C5 ends form the 6th authentication code C6, and the key described in and hash function carry out the 6th authentication code C6
HMAC computings obtain the second overall authentication code C02.
Second judging unit, the unit obtain check code for the described second entirety authentication code C02 to be done cyclic redundancy check
K02, check code K02 and the frame check code domain of the GOOSE message identifyings to be verified are contrasted, if the two unanimously if verify
Succeed, otherwise authentication failed.
It is worth noting that, in said system embodiment, included each device and unit are simply according to function logic
Divided, but be not limited to above-mentioned division, as long as corresponding function can be realized;In addition, each device and list
The specific name of member is also only to facilitate mutually distinguish, the protection domain being not intended to limit the invention.
Above-described embodiment is the preferable embodiment of the present invention, but embodiments of the present invention and from above-described embodiment
Limitation, other any Spirit Essences without departing from the present invention with made under principle change, modification, replacement, combine, simplification,
Equivalent substitute mode is should be, is included within protection scope of the present invention.
Claims (4)
1. a kind of GOOSE message authentication method, it is characterised in that variable data are placed on by the GOOSE message authentication method
Treat operational data end, comprise the following steps:
GOOSE message identifyings are created, judge current GOOSE message and Application Protocol Data Unit APDU in previous GOOSE message
Non-critical information it is whether consistent, wherein, the non-key message information refers to Application Protocol Data Unit in GOOSE message
All information of the APDU in addition to sequential counting sqNum domains, application protocol in previous GOOSE message is directly quoted if consistent
The correspondence authentication code of the non-critical information of data cell APDU coordinates Application Protocol Data Unit APDU in current GOOSE message
Key message generates overall authentication code by HMAC computings, wherein, the key message refers to application protocol in GOOSE message
The sequential counting sqNum domains of data cell APDU, firstly generate application protocol data list in current GOOSE message if inconsistent
The non-critical information of first APDU corresponds to authentication code, coordinates current GOOSE message key message to pass through followed by the authentication code
The overall authentication code of HMAC computings generation;Generation check code is filled in currently after the overall authentication code is made cyclic redundancy check
GOOSE message identifyings are completed after the frame check code domain of GOOSE message to create;
Verify GOOSE message identifyings, firstly generate the non-critical information of Application Protocol Data Unit APDU in current GOOSE message
Corresponding authentication code, then coordinates current GOOSE message key message to generate overall certification by HMAC computings using the authentication code
Code, overall authentication code is done and is carried out pair with current GOOSE message frame check code domain content after cyclic redundancy check generation check code
Than, if the two unanimously if certification pass through otherwise authentification failure;The step of establishment GOOSE message identifyings is specially:
The key message of Application Protocol Data Unit APDU, generates the first key message report in S11, the current GOOSE message of extraction
Literary section P2;
The key message in S12, the deletion current GOOSE message, generates the first non-critical information message segment P1;
S13, judge the first non-critical information message segment P1 whether with Application Protocol Data Unit in previous GOOSE message
The non-critical information of APDU is consistent, skips to S15 if consistent, is otherwise transferred to step S14;
S14, using selected in advance key and hash function, HMAC computings are carried out to the first non-critical information message segment P1
The first authentication code C1 is obtained, the first key message message segment P2 is attached to the first authentication code C1 ends forms second
Authentication code C2, carries out the second authentication code C2 HMAC computings using the key and hash function and obtains the first overall certification
Code C01, skips to step S16;
S15, by the first key message message segment P2 be attached to Application Protocol Data Unit APDU in previous GOOSE message
Non-critical information message segment carries out the 3rd authentication code C3 ends obtained by HMAC computings and forms the 4th authentication code C4, utilizes step S14
Described in key and hash function HMAC computings carried out to the 4th authentication code C4 obtain the first overall authentication code C01, skip to
Step S16;
Described first entirety authentication code C01, is made cyclic redundancy check by S16, and gained check code K01 is filled in described
The frame check code domain of GOOSE message, completes the establishment of GOOSE message identifyings;The step of verification GOOSE message identifyings, is specific
For:
The key message of Application Protocol Data Unit APDU in S21, extraction GOOSE message identifyings to be verified, generation the
Two key message message segment P4;
The key message in S22, the deletion GOOSE message identifyings to be verified, generates the second non-critical information message
Section P3;
S23, using key and hash function described in step S14, HMAC is carried out to the second non-critical information message segment P3
Computing obtains the 5th authentication code C5, and the second key message message segment P4 is attached to the 5th authentication code C5 ends forms the 6th
Authentication code C6, carries out the 6th authentication code C6 using key described in step S14 and hash function HMAC computings and obtains the
Two overall authentication code C02;
Described second entirety authentication code C02, is done cyclic redundancy check and obtains check code K02 by S24, check code K02 with it is described to be tested
The frame check code domain of the GOOSE message identifyings of card is contrasted, if the two unanimously if be proved to be successful, otherwise authentication failed.
2. a kind of GOOSE message authentication method according to claim 1, it is characterised in that the key is length 16
To the character string between 128Byte.
A kind of 3. GOOSE message authentication method according to claim 1, it is characterised in that the hash function be MD2 or
MD4 or MD5 or SHA-1 or SHA-224 or SHA-256 or SHA-384 or SHA-512.
4. a kind of GOOSE message Verification System, it is characterised in that variable data are placed on by the GOOSE message Verification System
Treat operational data end, including following modules:
GOOSE message identifying modules are created, which is used to judge current GOOSE message with applying association in previous GOOSE message
Whether consistent discuss the non-critical information of data cell APDU, wherein, the non-key message information refers to should in GOOSE message
With all information of the protocol Data Unit APDU in addition to sequential counting sqNum domains, previous GOOSE is directly quoted if consistent
The correspondence authentication code of the non-critical information of Application Protocol Data Unit APDU coordinates application protocol in current GOOSE message in message
The key message of data cell APDU generates overall authentication code by HMAC computings, wherein, the key message refers to GOOSE
The sequential counting sqNum domains of Application Protocol Data Unit APDU in message;Firstly generated if inconsistent in current GOOSE message
The non-critical information of Application Protocol Data Unit APDU corresponds to authentication code, coordinates current GOOSE message followed by the authentication code
Key message generates overall authentication code by HMAC computings;Check code is generated after the overall authentication code is made cyclic redundancy check
The establishment of GOOSE message identifyings is completed after being filled in the frame check code domain of current GOOSE message;
Verify GOOSE message identifying modules, which firstly generates Application Protocol Data Unit APDU in current GOOSE message
Non-critical information corresponds to authentication code, then coordinates current GOOSE message key message to be given birth to by HMAC computings using the authentication code
Integral authentication code, by overall authentication code do cyclic redundancy check generation check code after with current GOOSE message frame check code domain
Content is contrasted, if the two unanimously if certification pass through otherwise authentification failure;
The establishment GOOSE message identifying modules include:
First key message message segment generation unit, the unit are used to extract Application Protocol Data Unit in current GOOSE message
The key message of APDU, generates the first key message message segment P2;
First non-critical information message segment generation unit, the unit are used to delete the key in the current GOOSE message
Information, generates the first non-critical information message segment P1;
First judging unit, the unit be used for judge the first non-critical information message segment P1 whether with previous GOOSE message
The non-critical information of middle Application Protocol Data Unit APDU is consistent, and overall the second generation unit of authentication code is skipped to if consistent, no
Then it is transferred to overall the first generation unit of authentication code;
Overall the first generation unit of authentication code, the unit is using selected in advance key and hash function, to the described first non-pass
Key information message segment P1 carries out HMAC computings and obtains the first authentication code C1, and the first key message message segment P2 is attached to institute
State the first authentication code C1 ends and form the second authentication code C2, using the key and hash function to the second authentication code C2 into
Row HMAC computings obtain the first overall authentication code C01, skip to check code fills unit;
Overall the second generation unit of authentication code, the unit are used to the first key message message segment P2 being attached to previous
The non-critical information message segment of Application Protocol Data Unit APDU carries out the 3rd authentication code C3 obtained by HMAC computings in GOOSE message
End forms the 4th authentication code C4, and carrying out HMAC computings to the 4th authentication code C4 using the key and hash function obtains
First overall authentication code C01, skips to check code fills unit;
Check code fills unit, the unit are used to the described first entirety authentication code C01 making cyclic redundancy check, and by gained school
The frame check code domain that yard K01 is filled in the GOOSE message is tested, completes the establishment of GOOSE message identifyings;
The verification GOOSE message identifying modules include:
Second key message message segment generation unit, the unit are used to extract application protocol in GOOSE message identifyings to be verified
The key message of data cell APDU, generates the second key message message segment P4;
Second non-critical information message segment generation unit, the unit are used to delete in the GOOSE message identifyings to be verified
The key message, generates the second non-critical information message segment P3;
Overall the 3rd generation unit of authentication code, which utilizes the key and hash function, to second non-critical information
Message segment P3 carries out HMAC computings and obtains the 5th authentication code C5, and the second key message message segment P4 is attached to the 5th certification
Code C5 ends form the 6th authentication code C6, the key described in and hash function and carry out HMAC fortune to the 6th authentication code C6
Calculation obtains the second overall authentication code C02,
Second judging unit, the unit obtain check code K02 for the described second entirety authentication code C02 to be done cyclic redundancy check,
Check code K02 and the frame check code domain of the GOOSE message identifyings to be verified are contrasted, if the two unanimously if verification into
Work(, otherwise authentication failed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510047772.5A CN104639328B (en) | 2015-01-29 | 2015-01-29 | A kind of GOOSE message authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510047772.5A CN104639328B (en) | 2015-01-29 | 2015-01-29 | A kind of GOOSE message authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104639328A CN104639328A (en) | 2015-05-20 |
| CN104639328B true CN104639328B (en) | 2018-04-13 |
Family
ID=53217686
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510047772.5A Expired - Fee Related CN104639328B (en) | 2015-01-29 | 2015-01-29 | A kind of GOOSE message authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104639328B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105162594B (en) * | 2015-07-31 | 2018-03-30 | 飞天诚信科技股份有限公司 | A kind of quick endorsement method and signature device |
| JP6814549B2 (en) * | 2016-04-27 | 2021-01-20 | 日立オートモティブシステムズ株式会社 | Arithmetic logic unit, authentication system, authentication method |
| CN108366055A (en) * | 2018-02-05 | 2018-08-03 | 国电南瑞科技股份有限公司 | A kind of GOOSE message signature and the method for certification |
| US11418432B1 (en) * | 2021-04-22 | 2022-08-16 | Schweitzer Engineering Laboratories, Inc. | Automated communication flow discovery and configuration in a software defined network |
| CN113541955A (en) * | 2021-06-03 | 2021-10-22 | 国电南瑞科技股份有限公司 | Encryption method and device for 2M communication of security control system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102010040688A1 (en) * | 2010-09-14 | 2012-03-15 | Siemens Aktiengesellschaft | Method and device for authenticating multicast messages |
| CN103746962B (en) * | 2013-12-12 | 2017-01-25 | 华南理工大学 | GOOSE electric real-time message encryption and decryption method |
| CN103873461B (en) * | 2014-02-14 | 2015-09-23 | 中国南方电网有限责任公司 | Based on the safety interacting method of the GOOSE message of IEC62351 |
-
2015
- 2015-01-29 CN CN201510047772.5A patent/CN104639328B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN104639328A (en) | 2015-05-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107249009B (en) | Data verification method and system based on block chain | |
| CN104639328B (en) | A kind of GOOSE message authentication method and system | |
| CN107846282A (en) | A kind of electronic data distribution keeping method and system based on block chain technology | |
| CN103746962B (en) | GOOSE electric real-time message encryption and decryption method | |
| CN101409619B (en) | Flash memory card and method for implementing virtual special network key exchange | |
| CN104702466B (en) | A kind of process layer safety test system and method based on IEC62351 | |
| CN109412794A (en) | A kind of quantum key automatic filling method and system adapting to power business | |
| CN112511304A (en) | Power data privacy communication method based on hybrid encryption algorithm | |
| CN105610837B (en) | For identity authentication method and system between SCADA system main website and slave station | |
| CN110830251B (en) | Method for safely transmitting electricity consumption information in ubiquitous power Internet of things environment | |
| CN104811427B (en) | A kind of safe industrial control system communication means | |
| CN105072636B (en) | A kind of wireless test and data transmission system | |
| CN104506500A (en) | GOOSE message authentication method based on transformer substation | |
| CN110505049A (en) | A kind of text information transmission method, apparatus and system | |
| CN109976948A (en) | Private information backup method and recovery method and system | |
| CN104639330B (en) | A kind of GOOSE message completeness certification method | |
| CN110912877A (en) | Data transmitting and receiving method and device based on IEC61850 model in transformer substation | |
| CN114024698A (en) | Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm | |
| CN110034936B (en) | Pierceable digital signature method | |
| CN109978543A (en) | A kind of method, apparatus, electronic equipment and the storage medium of contract signature | |
| CN111490874B (en) | Distribution network safety protection method, system, device and storage medium | |
| CN107231628B (en) | Safety data fusion method suitable for multiple application scenes | |
| CN113225318A (en) | Method and system for government affair big data encryption transmission and safe storage | |
| CN109039841A (en) | The method, apparatus and girff of cascade network is added | |
| CN113766007B (en) | Authentication pre-system and authentication method based on multi-source heterogeneous data analysis protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Liang Mei Inventor after: Li Yongchang Inventor after: Wang Zhidong Inventor before: Li Yongchang Inventor before: Wang Zhidong |
|
| COR | Change of bibliographic data | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180413 Termination date: 20220129 |